Skip to content

include tests in installed package #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 24, 2022

Conversation

perrinjerome
Copy link
Contributor

@perrinjerome perrinjerome commented Aug 23, 2022

Fixes #231

This moves the tests to a sub-directory of RestrictedPython, so that they are installed along with the package.

This also required adjusting the imports from within the tests (making them relative imports after adding necessary __init__.py ) and making the tests pass the linter (they were not linted before, because they were not part of src I guess).
Some configuration that became unnecessary was also removed ( no need to include from tests in MANIFEST and no need to collect coverage from tests )

@d-maurer
Copy link
Contributor

d-maurer commented Aug 23, 2022 via email

@perrinjerome
Copy link
Contributor Author

Jérome Perrin wrote at 2022-8-23 08:03 -0700:
Fixes #231
In my opinion, you should check the git history to find who has moved the tests; hopefully, the commit message also include the reason for the move.

I looked at history first, hoping to find one commit moving the tests, but they were not just moved, it was new tests created in tests by porting the tests from src/RestrictedPython/tests. That and it's what I tried to describe as "tests were gradually moved from src/RestrictedPython/tests to tests", but that was not really a clear explanation, let me try to explain with more details and example commits.

It started with 8f745a8 which introduced pytest and new tests in tests. At that time, the tests in src/RestrictedPython/tests were still all there.

During the development of version 4, tests were "ported" to new tests folder, like for example in these commits: ea7f250 6fcc399 c370a97 . Sometimes the commits adding tests in tests also removes the test from the old src/RestrictedPython/tests but sometimes not. 4e89925 was the last commit of this work, which removes all the old 3 implementation and all the old tests. After that, all the tests were in tests.

@perrinjerome
Copy link
Contributor Author

@icemac you were very active in the development of version 4 and moving the tests to tests. Do you see a problem with moving the tests back to src/RestrictedPython/tests so that they get installed ? Thanks in advance

@perrinjerome perrinjerome marked this pull request as ready for review August 24, 2022 01:54
@icemac
Copy link
Member

icemac commented Aug 24, 2022

@perrinjerome I support moving the tests back to src. It was kind of a trick while porting to Python 3 to have the ability to tests both RestrictedPython implementations (the Py2 only and the universal one) next to each other but keeping the test code separate.

Copy link
Member

@icemac icemac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM besides some comments. (The .meta.toml ones I could also fix after the merge.)

@@ -15,4 +15,3 @@ recursive-include src *.py
recursive-include docs *.ast
recursive-include docs *.bat
recursive-include docs *.jpg
recursive-include tests *.py
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is generated, removing this line has to be changed in .meta.toml, too.

@@ -98,7 +98,7 @@ setenv =
COVERAGE_FILE=.coverage
commands =
mkdir -p {toxinidir}/parts/htmlcov
pytest --cov=src --cov=tests --cov-report= {posargs}
pytest --cov=src --cov-report= {posargs}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is generated, changing these lines has to done in .meta.toml, too.

perrinjerome and others added 2 commits August 24, 2022 15:36

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Co-authored-by: Michael Howitz <mh@gocept.com>

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@perrinjerome
Copy link
Contributor Author

Thanks a lot @icemac ! I did not notice the .meta.toml, but I looked at https://github.com/zopefoundation/meta/tree/master/config and now I understand.

I applied the same changes in .meta.toml, so I guess this is good to merge

@perrinjerome perrinjerome merged commit 84a5015 into zopefoundation:master Aug 24, 2022
icemac pushed a commit that referenced this pull request Aug 25, 2022
@d-maurer
Copy link
Contributor

d-maurer commented Oct 11, 2022 via email

@loechel
Copy link
Member

loechel commented Oct 11, 2022

Well, it was my decission to move the tests out of the installed package scope.
From a security perspective tests should never be forced to be installed in a production environment. Tests are test, the should life outsite of the installed package scope. But I agree with @d-maurer that tests should always be distributed in source packages.

But as this ticket / pull request has already been merged, what should be done? I am in favoure of directly revert that and let the tests be in seperate scope. All what @perrinjerome wants is to run the the original tests after his monkey patch been applied. Thats the normal case and is directly supported by all test frameworks, so why install the test?

@loechel
Copy link
Member

loechel commented Oct 11, 2022

After even looking more into the pull-request. I veto on releasing any new RestrictedPython version with that merge included. It is a security issue and a absolute nogo. RestrictedPython was always planed at written so that it did not depend on any external package. If the tests lifes inside the package scope and have imports from external packages like pytest, which is even not declared in the setup.py, that is absolutly not accepatble.

@icemac please revert that merge.

@perrinjerome
Copy link
Contributor Author

All what @perrinjerome wants is to run the the original tests after his monkey patch been applied. Thats the normal case and is directly supported by all test frameworks, so why install the test?

Maybe my use case was not clear, or maybe I misunderstood something.

The background story is that I have a package which depends on RestrictedPython and this packages use monkey patches to "extend" RestrictedPython. I want to confirm that the monkey patches do not break original behavior of RestrictedPython, so what I do in my package's test is: import my module applying monkey patches and then import RestrictedPython test suite and run it as part of my package test suite. I think this is only possible if RestrictedPython tests shipped with RestrictedPython package.

With RestrictedPython 3.6.0, I used something like this :

import mypackage.monkeypatches

def test_suite():
  suite = unittest.TestSuite()
  import RestrictedPython.tests.testCompile
  suite.addTest(RestrictedPython.tests.testCompile.test_suite())
  import RestrictedPython.tests.testUtiliities
  suite.addTest(RestrictedPython.tests.testUtiliities.test_suite())
  ...

When updating RestrictedPython this was no longer possible (but maybe I missed something ?). There is anyway another change that RestrictedPython switched to pytest, I am not sure it would be possible to use this same approach with pytest.

That was the context, but the main reason that made me suggest these changes was that other zopefoundation packages seem to all install the tests, as described in the issue ( #231 ) and it did not seem intentional that this package was an exception.

For sure, I don't have any problem with having these changes reverted, my use case might be a bit exotic use case.

@perrinjerome
Copy link
Contributor Author

I have been looking a bit and I don't see the security issue though

@perrinjerome
Copy link
Contributor Author

perrinjerome commented Oct 11, 2022

I have been looking a bit and I don't see the security issue though

I posted that before seeing #231 (comment) . I see your point now. I don't see a consensus in the python ecosystem (several python packages and python itself installs with their tests), but these are valid arguments for not including the tests.

( even if that does not matter, for the records, I think my personal preference is to install the tests )

perrinjerome added a commit to perrinjerome/RestrictedPython that referenced this pull request Oct 11, 2022
This reverts commit 84a5015 and
commit 4816526.

RestrictedPython intentionally does not include tests anymore

See discussion on zopefoundation#231
and zopefoundation#232
@d-maurer
Copy link
Contributor

d-maurer commented Oct 11, 2022 via email

@d-maurer
Copy link
Contributor

d-maurer commented Oct 11, 2022 via email

@loechel
Copy link
Member

loechel commented Oct 11, 2022

d-maurer wrote at 2022-10-11 06:17 -0700:

It cannot be a security issue -- because the source is publicly available. Anybody interested can look there to design a potential attack.

@d-maurer it is not a problem in the sense of confidentiality, and I totally agree with you that the test should be public avaliable and even shipped with the code / package. Every user should be able to look at the tests and check them. I also agree that tests are often a good example or hint how to use the software.

It is a regular security issue in the run time purpose. You should not depend on any testing framework or tests in a production deployment, as those adds additional dependencies and could sometimes enable ceratin mocks, so that the intended functionality is not provided.

I know, RestrictedPython is primary used in web development (Zope/Plone), and it is not life critical. But I keep my opinion, coming from developing aviation software. There are several known losts of planes and rockets, because someone shipped test code into production. So I always abstain from including tests into the production code. pytest and other test frameworks work perfectly with a separated test directory, so I use that separation.

@dataflake
Copy link
Member

I understand the point but as you say yourself, RestrictedPython issues won't kill anyone. Besides, we ship the tests for all packages in the zopefoundation GH organization. Changing that for one package makes no sense.

@d-maurer
Copy link
Contributor

d-maurer commented Oct 11, 2022 via email

@dataflake
Copy link
Member

My preferred outcome here would be the following:

  • tests are located at src/RestrictedPython/tests to match all other packages we have
  • tests use zope.testrunner and not pytest, again to match all other packages we have

That way the maintenance burden is reduced.

icemac pushed a commit that referenced this pull request Oct 12, 2022
This reverts commit 84a5015 and
commit 4816526.

RestrictedPython intentionally does not include tests anymore

See discussion on #231
and #232
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

RestrictedPython.tests package no longer installed ?
5 participants